HotelDruid SQL Error-Based Sensitive Information Disclosure and Denial-of-Service Vulnerability

A vulnerability allowing sensitive information disclosure and denial-of-service has been identified in HotelDruid versions 3.0.0 and 3.0.7. The issue arises from verbose SQL error messages on the 'creadb.php' endpoint, before the 'create database' button is pressed. An unauthenticated attacker can exploit this vulnerability by sending malformed POST requests, potentially obtaining the administrator's username, password hash, and salt. In some instances, this exploitation leads to a denial-of-service condition, preventing the administrator from logging in even with the correct credentials.

Impact

Successful exploitation allows attackers to access sensitive information such as the administrator username, password hash, and salt. If the extracted password hash is from a weak password, it could be brute-forced to recover the plaintext password. Additionally, exploitation causes a denial-of-service condition, blocking administrator login access.

Reproduction

To reproduce this vulnerability, send multiple malformed POST requests to the 'creadb.php' endpoint before pressing the 'create database' button. This can be done using a Python script that automates the process, such as the 'exploit.py' file available in the GitHub repository for this CVE. After successfully exploiting the vulnerability, the 'brute.py' script can be used to recover the plaintext password, if the extracted password hash is from a weak password.